Merge branch 'open-telemetry:main' into dev

Author: motadata2025

.clomonitor.yml

@@ -0,0 +1,8 @@
+# see https://github.com/cncf/clomonitor/blob/main/docs/checks.md#exemptions
+exemptions:
+  - check: artifacthub_badge
+    reason: "Artifact Hub doesn't support Java packages"
+  - check: signed_releases
+    reason: "Maven central releases are signed and there are no GitHub release artifacts"
+  - check: openssf_badge
+    reason: "ETOOMANYBADGES, but the work has been done: https://www.bestpractices.dev/projects/9991"

.codecov.yaml

@@ -11,7 +11,7 @@ coverage:
   status:
     project:
       default:
-        target: 90%
+        target: 89%
         paths:
           - "!opencensus-shim/"
           - "!opentracing-shim/"

.fossa.yml

@@ -0,0 +1,40 @@
+version: 3
+
+targets:
+  only:
+    - type: gradle
+  exclude:
+    # these modules are not published and so consumers will not be exposed to them
+    - type: gradle
+      path: ./
+      target: ':api:testing-internal'
+    - type: gradle
+      path: ./
+      target: ':exporters:otlp:testing-internal'
+    - type: gradle
+      path: ./
+      target: ':integration-tests'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:graal'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:graal-incubating'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:otlp'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:tracecontext'
+    - type: gradle
+      path: ./
+      target: ':perf-harness'
+    - type: gradle
+      path: ./
+      target: ':testing-internal'
+
+experimental:
+  gradle:
+    configurations-only:
+      # consumer will only be exposed to these dependencies
+      - runtimeClasspath

.github/renovate.json5

@@ -1,11 +1,23 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
-    "config:base"
+    "config:recommended",
+    "docker:pinDigests",
+    "helpers:pinGitHubActionDigests"
   ],
   "packageRules": [
+    {
+      // this is to reduce the number of renovate PRs
+      "matchManagers": [
+        "github-actions",
+        "dockerfile"
+      ],
+      "extends": ["schedule:weekly"],
+      "groupName": "weekly update"
+    },
     {
       "matchPackageNames": [
+        "io.opentelemetry.contrib:opentelemetry-aws-xray-propagator",
         "io.opentelemetry.proto:opentelemetry-proto",
         "io.opentelemetry.semconv:opentelemetry-semconv-incubating"
       ],

.github/repository-settings.md

@@ -5,71 +5,110 @@ Repository settings in addition to what's documented already at
 
 ## General > Pull Requests
 
-* Allow squash merging > Default to pull request title
+- Allow squash merging > Default to pull request title
+
+- Allow auto-merge
 
 ## Actions > General
 
-* Fork pull request workflows from outside collaborators:
+- Fork pull request workflows from outside collaborators:
   "Require approval for first-time contributors who are new to GitHub"
 
   (To reduce friction for new contributors,
   as the default is "Require approval for first-time contributors")
 
-## Branch protections
-
-The order of branch protection rules
-[can be important](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule#about-branch-protection-rules).
-The branch protection rules below should be added before the `**/**` branch protection rule
-(this may require deleting the `**/**` rule and recreating it at the end).
-
-### `main`
-
-* Require branches to be up to date before merging: UNCHECKED
-
-  (PR jobs take too long, and leaving this unchecked has not been a significant problem)
-
-* Status checks that are required:
-
-  * EasyCLA
-  * required-status-check
-
-### `release/*`
+- Workflow permissions
+  - Default permissions granted to the `GITHUB_TOKEN` when running workflows in this repository:
+    Read repository contents and packages permissions
+  - Allow GitHub Actions to create and approve pull requests: UNCHECKED
+
+## Rules > Rulesets
+
+### `main` and release branches
+
+- Targeted branches:
+  - `main`
+  - `release/*`
+- Branch rules
+  - Restrict deletions: CHECKED
+  - Require linear history: CHECKED
+  - Require a pull request before merging: CHECKED
+    - Required approvals: 1
+    - Require review from Code Owners: CHECKED
+    - Allowed merge methods: Squash
+  - Require status checks to pass
+    - Do not require status checks on creation: CHECKED
+    - Status checks that are required
+      - EasyCLA
+      - `required-status-check`
+      - `gradle-wrapper-validation`
+  - Block force pushes: CHECKED
+  - Require code scanning results: CHECKED
+    - CodeQL
+      - Security alerts: High or higher
+      - Alerts: Errors
+
+### `benchmarks` branch
+
+- Targeted branches:
+  - `benchmarks`
+- Branch rules
+  - Restrict deletions: CHECKED
+  - Require linear history: CHECKED
+  - Block force pushes: CHECKED
+
+### Old-style release branches
+
+- Targeted branches:
+  - `v0.*`
+  - `v1.*`
+- Branch rules
+  - Restrict creations: CHECKED
+  - Restrict updates: CHECKED
+  - Restrict deletions: CHECKED
+
+### Restrict branch creation
+
+- Targeted branches
+  - Exclude:
+    - `release/*`
+    - `renovate/**/*`
+    - `otelbot/**/*`
+    - `revert-*/**/*` (these are created when using the GitHub UI to revert a PR)
+- Restrict creations: CHECKED
+
+### Restrict updating tags
+
+- Targeted tags
+  - All tags
+- Restrict updates: CHECKED
+- Restrict deletions: CHECKED
 
-Same settings as above for `main`, except:
-
-* Restrict pushes that create matching branches: UNCHECKED
-
-  (So that opentelemetrybot can create release branches)
-
-### `renovate/**/**`, and `opentelemetrybot/*`
-
-* Require status checks to pass before merging: UNCHECKED
-
-  (So that renovate PRs can be rebased)
-
-* Restrict who can push to matching branches: UNCHECKED
+## Branch protections
 
-  (So that bots can create PR branches in this repository)
+### `main`, `release/*`
 
-* Allow force pushes > Everyone
+- Restrict who can push to matching branches: CHECKED
 
-  (So that renovate PRs can be rebased)
+## Code security and analysis
 
-* Allow deletions: CHECKED
+- Secret scanning: Enabled
 
-  (So that bot PR branches can be deleted)
+## Secrets and variables > Actions
 
-### `benchmarks`
+- `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
+- `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
+- `NVD_API_KEY` - stored in OpenTelemetry-Java 1Password
+  - Generated at https://nvd.nist.gov/developers/request-an-api-key
+  - Key is associated with [@trask](https://github.com/trask)'s gmail address
+- `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
+- `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)
 
-- Everything UNCHECKED
+### Organization secrets
 
-  (This branch is currently only used for directly pushing benchmarking results from the
-  [overhead benchmark](https://github.com/open-telemetry/opentelemetry-java/actions/workflows/benchmark.yml)
-  job)
+- `FOSSA_API_KEY`
+- `OTELBOT_PRIVATE_KEY`
 
-## Secrets and variables > Actions
+### Organization variables
 
-* `GPG_PASSWORD` - stored in OpenTelemetry-Java 1Password
-* `GPG_PRIVATE_KEY` - stored in OpenTelemetry-Java 1Password
-* `SONATYPE_KEY` - owned by [@jack-berg](https://github.com/jack-berg)
-* `SONATYPE_USER` - owned by [@jack-berg](https://github.com/jack-berg)
+- `OTELBOT_APP_ID`

.github/scripts/generate-release-contributors.sh

@@ -86,5 +86,5 @@ echo $contributors1 $contributors2 \
   | grep -v github-actions \
   | grep -v renovate \
   | grep -v codecov \
-  | grep -v opentelemetrybot \
+  | grep -v otelbot \
   | sed 's/^/@/'

.github/scripts/use-cla-approved-github-bot.sh

@@ -1,4 +1,4 @@
 #!/bin/bash -e
 
-git config user.name opentelemetrybot
-git config user.email 107717825+opentelemetrybot@users.noreply.github.com
+git config user.name otelbot
+git config user.email 197425009+otelbot@users.noreply.github.com

.github/workflows/backport.yml

@@ -6,8 +6,13 @@ on:
         description: "The pull request # to backport"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   backport:
+    permissions:
+      contents: write  # for git push to PR branch
     runs-on: ubuntu-latest
     steps:
       - run: |
@@ -16,24 +21,30 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           # history is needed to run git cherry-pick below
           fetch-depth: 0
 
       - name: Use CLA approved github bot
         run: .github/scripts/use-cla-approved-github-bot.sh
 
+      - uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        id: otelbot-token
+        with:
+          app-id: ${{ vars.OTELBOT_APP_ID }}
+          private-key: ${{ secrets.OTELBOT_PRIVATE_KEY }}
+
       - name: Create pull request
         env:
           NUMBER: ${{ github.event.inputs.number }}
           # not using secrets.GITHUB_TOKEN since pull requests from that token do not run workflows
-          GH_TOKEN: ${{ secrets.OPENTELEMETRYBOT_GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.otelbot-token.outputs.token }}
         run: |
           commit=$(gh pr view $NUMBER --json mergeCommit --jq .mergeCommit.oid)
           title=$(gh pr view $NUMBER --json title --jq .title)
 
-          branch="opentelemetrybot/backport-${NUMBER}-to-${GITHUB_REF_NAME//\//-}"
+          branch="otelbot/backport-${NUMBER}-to-${GITHUB_REF_NAME//\//-}"
 
           git checkout -b $branch
           git cherry-pick $commit

.github/workflows/benchmark-tags.yml

@@ -3,8 +3,13 @@ name: Benchmark Tags
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   sdk-benchmark:
+    permissions:
+      contents: write # for git push to benchmarks branch
     name: Benchmark SDK
     runs-on: self-hosted
     timeout-minutes: 10
@@ -39,19 +44,19 @@ jobs:
           - v1.30.0
           - v1.30.1
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ matrix.tag-version }}
 
       - id: setup-java
         name: Set up Java for build
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: temurin
           java-version: 17
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
       - name: Run jmh
         run: ./gradlew jmhJar
 
@@ -61,7 +66,7 @@ jobs:
           java -jar libs/opentelemetry-sdk-trace-*-jmh.jar -rf json SpanBenchmark SpanPipelineBenchmark ExporterBenchmark
 
       - name: Store benchmark results
-        uses: benchmark-action/github-action-benchmark@v1
+        uses: benchmark-action/github-action-benchmark@d48d326b4ca9ba73ca0cd0d59f108f9e02a381c7 # v1.20.4
         with:
           tool: 'jmh'
           output-file-path: sdk/trace/build/jmh-result.json

.github/workflows/benchmark.yml

@@ -5,23 +5,28 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   sdk-benchmark:
+    permissions:
+      contents: write # for git push to benchmarks branch
     name: Benchmark SDK
     runs-on: self-hosted
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - id: setup-java
         name: Set up Java for build
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: temurin
           java-version: 17
 
       - name: Set up gradle
-        uses: gradle/actions/setup-gradle@v4
+        uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
       - name: Run jmh
         run: ./gradlew jmhJar
 
@@ -31,7 +36,7 @@ jobs:
           java -jar libs/opentelemetry-sdk-trace-*-jmh.jar -rf json SpanBenchmark SpanPipelineBenchmark ExporterBenchmark
 
       - name: Store benchmark results
-        uses: benchmark-action/github-action-benchmark@v1
+        uses: benchmark-action/github-action-benchmark@d48d326b4ca9ba73ca0cd0d59f108f9e02a381c7 # v1.20.4
         with:
           tool: 'jmh'
           output-file-path: sdk/trace/build/jmh-result.json